Private Slots

Brandon Benvie brandon at brandonbenvie.com
Wed Jan 16 16:03:51 PST 2013


That's exactly how I was thinking of it. @@hasInstance and @@create live on
Function.prototype so the only protection a sandbox has from letting any
and all comers muck with them is in them not being reflected.

Overriding Function.prototype.@@create (and the custom ones e.g.
Boolean.@@create)
would allow you to touch every single object that is created before any
other code as access to it. Overriding Function.prototype.@@hasInstance
would give you access to every object used on the LHS of instanceof and
every function on the RHS of instanceof (`this` inside @@hasInstance).
These seem like things that SES would absolutely want access prevented to.
The default functionality itself may be mundane, but the exposure of the
operands is itself the power those functions have.


On Wed, Jan 16, 2013 at 6:53 PM, Allen Wirfs-Brock <allen at wirfs-brock.com>wrote:

>
> On Jan 16, 2013, at 3:20 PM, Brandon Benvie wrote:
>
> > It's worth noting that private Symbols *are* used by the ES6 spec to
> solve a number of other problems currently. They are used to provide easy
> to use hooks for overriding builtin functionality: @@hasInstance, @@create,
> @@toStringTag, @@iterator, and @@ToPrimitive. Some of these (@@toStringTag,
> @@iterator) likely make sense as unique symbols, but the others protect
> access to powerful capabilities that should likely be protected. Without
> private symbols, it would be difficult to expose these APIs in the easily
> hookable manner they are provided now. Using prototypal inheritance along
> with private symbols to protect access is exactly how these hooks are made
> easy to use.
> >
>
>
> Let's refer to all of these built-in @@symbols as language extensions
> points.
>
> Upon my first reading of the above, I wasn't sure I agreed with Brandon.
>  After all, language extension point symbols all need to be publicly
> available (presumably via module imports)  if certain forms of extended
> abstractions are going to be defined by ES code.  From that perspective
> regular non-private Symbols should be fine for representing language
> extension points. (BTW, note I avoid saying "unique symbol" as that isn't
> current part of the ES6 vocabulary.  We have Symbols, some of which are
> private.  But all of them (including private Symbols) are unique values.)
>
> However, here is why it might make sense to make some of language
> extension points private:  If you are creating a sandboxed environment
> where you would like to limit the availability of some of the language
> extension points and hence the ability to define new abstractions with the
> extended functionality.   A sandbox's module loader can presumably restrict
> access to the modules that would export some or all of the language
> extension points.  However, if the language extension points are
> represented using regular, non-private Symbols then it still might be
> possible to discover the language extension points via reflection and then
> use them to circumvent the sandbox restrictions.  If they are represented
> as private Symbols this would not be possible.
>
> So that is a theoretical reason why  we might want language extension
> points to be private Symbols. But, in practice, it isn't clear to me why
> you would want to sandbox any of the currently identified language
> extension points in this manner.  They all have utility in defining
> application level abstractions.  That's why they're there. If you take them
> away you have a less powerful language.  It also isn't clear what potential
> hard is exposed by them.
>
> Does anyone have particular language extension points that they think need
> to be restricted in this manner?
>
> Allen
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130116/a8507765/attachment.html>


More information about the es-discuss mailing list